Nearly every day you hear another story about a company whose network was attacked, and the Cloud Security Alliance just reported that around 22% of businesses who suffered a data breach happened because of compromised credentials. We know that password strength is incredibly important, yet people still use weak passwords that are easy for them to remember but also incredibly easy to crack.
2015's list of the most common (and therefore worst) passwords contains many classics like "123456", "password", and "qwerty". However, other easy-to-guess dictionary words made the list, including "football", "dragon", and "letmein". Users with passwords like these are asking for problems; aside from being the first terms that someone who knows the user would guess, single dictionary words take no time to crack at all.
When hackers attempt to break a password, they don't sit down and type out every possible combination. They use dictionary attacks or brute-force algorithms to try thousands of combinations in a matter of seconds — the shorter the password and less complex, the easier it is broken.
This makes sense — if you had four items and had to arrange them in every possible order, it would only take you a minute. With 100 items, though, creating every possible order would be a massive task. It's the same way with passwords, which is why length is critical. Passwords should not be shorter than eight characters, while 12 is a better minimum to shoot for.
The above "try everything" methods of attacks aren't the only way that passwords are compromised. Thanks to phishing (pretending to be someone legitimate in order to steal user passwords) and other similar methods, users often give their passwords over to a malicious entity without even realizing it. Here, it doesn't matter if you have a 30-character password — by handing it right to the person who wants to steal it, you've made his job easier.
A further risk is posed by using the same password on several sites. Once someone figures out the password for a user, they will likely try to use that password on other sites, assuming that they've used it in multiple places. This is especially deadly with email accounts, because they allow you to reset passwords — so if a someone breaks into your email account, even if you don't use that password elsewhere, they can enter your email into various sites and try to reset it. Because of its significance, make sure your email account password is strong and different from passwords you use on other sites.
If you'd like to get a baseline on how secure various passwords could be, using a password checker site like How Secure is my Password? can give you a ballpark on how long it would take your password to crack. Note that you should never type any actual passwords into these sites to ensure safety, and they are not always accurate (it says that "thisisapassword" would take a thousand years to crack), but it's at least a start.
So, it makes sense to enforce secure passwords, but if people can't remember them, they're liable to write them on a sticky note at their desk or keep a text file on their desktop, which defeats the purpose of having a strong password. The solution to this issue is using a password manager, like LastPass, Dashlane, or 1Password. These services are vital for remembering all the passwords of daily life — they allow you to generate secure passwords for every site and remember them all under one master password (so you can have a 30+ character password that you don't have to remember!).
Know who makes me change my password every few months? Universities. Know who doesn't? Online games. Which one has more security breaches?
— Ian Schreiber (@IanSchreiber) April 22, 2016
The benefits are many: mobile apps for signing in on the go, browser extensions that let you automatically sign into your accounts (more secure than the browser's built-in solution), the ability to save multiple logins for one website (such as Gmail), and passwords that change automatically.
The passwords are kept secure with strong encryption that only you, not the company, can access. The most secure password is one you can't remember, and a password manager lets you create as many of these as you want, all locked behind one strong master password — this is the only one you have to remember!
With all the security risks that bad passwords can pose, we recommend using a password manager to help you out. After a bit of setup, you'll wonder how you ever kept track of all your passwords without them. Start using one now and kick risky password habits forever!